A composed technical debt identification methodology to predict software vulnerabilities
A composed technical debt identification methodology to predict software vulnerabilities
dc.contributor.advisor | Kühn Tosun, Ayşe | |
dc.contributor.author | Halepmollası, Ruşen | |
dc.contributor.authorID | 504162505 | |
dc.contributor.department | Computer Engineering | |
dc.date.accessioned | 2025-02-11T11:27:54Z | |
dc.date.available | 2025-02-11T11:27:54Z | |
dc.date.issued | 2023-10-27 | |
dc.description | Thesis (Ph.D.) -- Istanbul Technical University, Graduate School, 2023 | |
dc.description.abstract | Software systems must be evolvable and maintainable to meet evolving customer requirements and technology advancements in a rapidly changing IT landscape. Technical debt refers to the accumulated cost as a consequence of rushed design decisions and code implementations and inadequate testing, which compromises long-term software quality for short-term objectives. When technical debt remains invisible and cannot be managed, it accumulates over time and similar to financial debt, it can have interest payments that are the extra effort for future development. The accumulated debt complicates software maintainability and evolvability and potentially leads to security risks. Technical Debt Management is a continuous process, and hence, it is important to integrate this process into the overall software development process. Software security is a quality characteristic and refers to the protection of the systems and networks against vulnerabilities and exploits by building secure software. By integrating security best practices throughout the software development life cycle, the risks associated with security vulnerabilities can be mitigated. To reduce the possibility of a system's vulnerability, incorporating security-oriented thinking into the systems is a better strategy as providing functional and secure development together throughout the overall life cycle will offer protection at all layers of the software. Besides, coding and design flaws are significant contributors to vulnerabilities, highlighting the significance of addressing technical debt as a means to prevent security threats. The main objective of this thesis is to explore relationship between technical debt and software security and provide insights to bridge the gap between technical and business stakeholders. To accomplish this objective, we collected and analyzed real-world data from various projects' GitHub repositories and the National Vulnerability Database. The vulnerability data is linked to corresponding code changes, enabling the identification of vulnerability-inducing commits. Moreover, we prepared an additional dataset of code smells using the PMD tool to investigate the impact of code quality issues on software security. In this thesis, we focus on offering valuable insights into the relationship between technical debt and software security through the collection and analysis of real vulnerability data from open source projects. This analysis provides a deeper understanding of how technical debt impacts software security and the associated risks. First, we investigate the relationship between technical debt indicators such as code smells and code faults and refactoring activities, recognizing the role of refactoring in mitigating technical debt. Therefore, we provide empirical findings that add depth to the understanding of refactoring impact. By analyzing refactoring activities and their impact on technical debt, we aim to identify the extent to which refactoring can enhance or reduce code smells and/or faults. Then, we conduct a comprehensive analysis of technical debt indicators, including software metrics, code smells, and bugs, to predict software security risks. By examining multiple technical debt indicators, we aim to provide a holistic view of the relationship between technical debt and vulnerabilities. This analysis will assist in identifying specific indicators that can reliably predict software security risks, thereby enabling proactive mitigation efforts. We conduct two types of research methods: exploratory research and explanatory research. These methods are utilized to investigate various aspects of software development, each serving a distinct purpose. Both exploratory and explanatory studies play crucial roles in software engineering research. Exploratory studies enable us to explore new or poorly understood phenomena, while explanatory studies allow us to investigate cause-and-effect relationships between variables. | |
dc.description.degree | Ph.D. | |
dc.identifier.uri | http://hdl.handle.net/11527/26410 | |
dc.language.iso | en_US | |
dc.publisher | Graduate School | |
dc.sdg.type | Goal 3: Good Health and Well-being | |
dc.sdg.type | Goal 9: Industry, Innovation and Infrastructure | |
dc.sdg.type | Goal 17: Partnerships to achieve the Goal | |
dc.subject | software vulnerabilities | |
dc.subject | yazılım açıkları | |
dc.subject | software | |
dc.subject | yazılım | |
dc.title | A composed technical debt identification methodology to predict software vulnerabilities | |
dc.title.alternative | Yazılım zafiyetlerini tahmin etmek için kapsamlı bir teknik borç tanımlama yöntemi | |
dc.type | Doctoral Thesis |